Overview
CVE-2007-3227 is an XSS vulnerability in Rails' ActiveRecord::Base#to_json before edge 9606. When JSON was embedded in HTML without proper escaping, attacker-controlled input could inject script into the browser (CWE-79).
This guide frames it through Improper Inventory Management, showing how outdated dependency state and unsafe data embedding amplify risk in Ruby on Rails apps.
The vulnerability manifests when a view renders JSON from a model directly into HTML or a script tag, allowing crafted values to break out of JSON and execute scripts.
Remediation involves upgrading Rails, escaping JSON in JavaScript contexts with j, avoiding raw JSON in HTML, validating inputs, CSP, and keeping an SBOM to manage inventory of dependencies.
Affected Versions
Rails before edge 9606
Code Fix Example
Ruby on Rails API Security Remediation
Vulnerable pattern (ERB):
<script type="text/javascript">
// Vulnerable: JSON is embedded directly into JS
var user = <%= @user.to_json %>;
</script>
Fixed pattern (ERB):
<script type="text/javascript">
// Safe: escape JSON for use in JavaScript
var user = <%= j @user.to_json %>;
</script>